mod_security

[mikegotroot]

Quote:

Are you talking about "chain" and "skip" actions? those actions are supported currently.
There are litespeed users loading getroot or some other modsec rule sets. rules using regular express matching do work. It does not break LiteSpeed.

Thank you for the reply. No, I'm talking about the ability to actually creating branching logic using SecAction, Secskip, SecMarker and other methods. Example:

SecRule REQUEST_METHOD "@pm trace track connect post" \
"phase:1,t:none,t:lowercase,pass,nolog,skip:1"
SecAction phase:1,t:none,pass,nolog,skipAfter:END_FOO

SecRule REQUEST_METHOD "trac(?:e|k)" \ "phase:1,t:none,t:lowercase,id:340002,rev:2,severi ty:2,msg:'Atomicorp.com WAF Rules: TRACE/TRACK method denied'"

# Rule 340361: deny CONNECT method
SecRule REQUEST_METHOD "connect" \ "t:none,t:lowercase,capture,phase:1,t:lowercase,id :340361,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: CONNECT method denied',logdata:'%{TX.0}'"

SecMarker END_FOO

Do you support that? And what about the transforms in 2.5.13, like escapeSeqDecode, removecomments, and others. I could go on, but you get the point. I couldnt find any documentation on your WAF module, if you could point me to it then I would know what you do support, and what 2.5.x logic won't work with your WAF module. As it stands right now, I get several reports a week that the current gotroot and OWASP rules don't work with your implementation. If you dont support all the features in 2.5.13, then that makes sense. Could you please tell me what features you do support?

Quote:

There are litespeed users loading getroot or some other modsec rule sets. rules using regular express matching do work. It does not break LiteSpeed.

I'm a bit puzzled by this response. Do you support the whole rule language or not? It not, then rules won't work correctly (Modsecurity rules require a lot more than just regular expression matching). If your implementation is supposed to be a drop in replacement I'm glad to hear that, so can you confirm that you support the whole 2.5.13+ rule language? And if not, what do you support?

[mikegotroot]

Quote:

If I'm setting up a new server with LiteSpeed right now (under cPanel/WHM), what do I need to do in order to get the best mod_security protection? Given that not all the 2.x rules are compatible, will the gotroot set break LiteSpeed?

My two cents, I dont know if it will "break" LiteSpeed (I doubt it), but if LiteSpeed doesnt support the full rule language you will not be as secure against web attacks and many of the rules written for modsecurity may not even work correctly. You really need the full feature set in modsecurity 2.5.13 to use either the gotroot or OWASP rules which are written for modsecurity. Those rules might "load" but without all the features they won't work correctly, they probably won't even detect attacks properly. 2.5.x rules are very different from the simplistic 1.9.x "look for this regexp" rules, its like night and day. So even though 1.9.x rules worked in the past does not mean modern 2.5.x rules will, the whole syntax of the language changed between 1.9.x and 2.0, and 2.5.x has added tons of new things.

Quote:

Also, will ASL Lite work in a cPanel situation with LiteSpeed installed? (I mean, assuming that the rules will work, will the ASL Lite autoupdater also work...or does it not coexist with LiteSpeed?

ASL Lite works great with cpanel, and the autoupdater will work just fine with cpanel and litespeed. The issue is does LiteSpeed understand the rules, and your guess is as good as mine. As I understand it, I thought LiteSpeed was a drop in replacement for Apache, and if it is then the answer should be yes. However, we don't know what LiteSpeed supports in its modsecurity like implemenation (I cant find any documentation, if someone could point me to it that would be awesome!) and we have had lots of reports that the 2.x rulesets don't work right, ours, OWASPs or anyone elses.

So the LiteSpeed implementation appears to not be feature complete, and I'd like nothing more than to be wrong about that and to say yes it will work. So if someone from LiteSpeed could explain what they do support, we'd all apreciate that.

Without knowing what it does support its very difficult to even begin to write rules for it, and with reports that things don't work right, all I can say is no the gotroot and OWASP rules will not work right (may not even load correctly) with LiteSpeeds WAF. With that said, I hope LiteSpeed is close to full 2.5.13 compability, because if all it had is 1.9.x compatibility then no it won't be as secure as Apache. :-(

Quote:

I love LiteSpeed but I also need security. So any advice will be appreciated.

Me too! :-)

[markb1439]

Of course Mike's answer is way over my head. However, in laymen's terms, I'd like a similar answer:

Exactly what mod_security protection does LiteSpeed provide? Is it full support for all rules? Or is it limited...and, if so, HOW limited? In today's security climate, vague answers simply aren't good enough. If we're putting our servers in the hands of your software...and paying a pretty penny for your software when other software is available free...we need definitive answers on what protection your software is giving us (or not).

Also, I'm confused about the answer on whether the gotroot rules will work with LiteSpeed. I've seen multiple reports that the rules don't work well with LiteSpeed (not a gotroot issue, but apparently an issue with LiteSpeed's mod_security implementation). Of course, mod_security rules are only effective if they protect but don't interfere with normal operations.

So I'd really appreciate some frank, detailed answers from LiteSpeed on this issue. We are deploying a new server this week, and we can't justify using LiteSpeed on it (or continuing to use LiteSpeed elsewhere) without knowing these answers.

Thanks,

Mark

[mistwang]

got it. support for SecMarker and skipAfter action is required, should be easy to implement. We do assume rule ID is numeric though, all examples given in modsec document are integers.

We are adding more features for our 4.1 release to improve the compatibility with modsec 2.5, however, there is some feature we wont consider to support right now:

1. xml related.
2. pdf related.
3. lua script (we are investigating, may add, but low priority)
4. geo lookup (duplicate with mod_geoip, can use env added by mod_geoip)
5. inspecting response body (still evaluating)
6. executing external script

We do not plan to implement features mainly because, some features may rely on third party libraries, and the license of that library may not allow us to incorporate into our product; some features may severely slow down the non-blocking, single-thread process, especially, when large amount of data need to be processed, it is fatal. We have seen even PCRE hanging lshttpd process with 100% cpu.

Hope it will make it a little bit clearer with our mod_sec support.
BTW: we will publish a document regarding what feature is supported, what is not, after our 4.1 release settled.

[markb1439]

Thanks for the reply. However it's highly technical...I'm wondering if you can explain in laymen's terms:

• How secure is LiteSpeed now? (In other words, how much of the mod_security functionality is missing?)
• When will additional security be added?
• When will LiteSpeed offer the full protection currently offered by Apache + mod_security?

I was actually surprised to find that much of this functionality is missing, since LiteSpeed is marketed as a complete equivalent replacement for Apache. It should definitely have been disclosed that important security features are not implemented, IMHO.

Thanks,

Mark

[mikegotroot]

Thank you for the reply. Based on the modsecurity documentation here:

http://www.modsecurity.org/documenta...ce.html#N11514

Which of its features are supported in Litespeed today, and what is planned in your next release?

[markb1439]

Hi Again,

We are deploying a new server over the weekend, and we have decided that we will not even consider using LiteSpeed on it until we receive answers for the questions asked previously:

• How secure is LiteSpeed now? (In other words, how much of the mod_security functionality is missing?)
• When will additional security be added?
• When will LiteSpeed offer the full protection currently offered by Apache + mod_security?

In addition, we will probably discontinue our existing use of LiteSpeed until we get these answers. And we may still stay away from LiteSpeed if the answers are not favorable. For example, if it will still be a long time before LiteSpeed offers the same security as Apache, we'll have to take that into consideration.

We are a bit upset that we've been using LiteSpeed for some time now, thinking that it offered the full functionality of Apache in terms of security...only to find out that it does not. And we aren't even sure how much of that security it does offer, because those answers are not being provided. We feel that a major shortcoming like this should have been disclosed publicly, instead of LiteSpeed simply being advertised as a drop-in replacement for Apache, with no mention of gaping security holes and lack of full support for mod_security.

Mark

[markb1439]

LiteSpeed, can you please answer the questions I've asked:

• How secure is LiteSpeed now? (In other words, how much of the mod_security functionality is missing?)
• When will additional security be added?
• When will LiteSpeed offer the full protection currently offered by Apache + mod_security?

These are fair questions, as you are advertising a functional replacement for Apache. So, as hosts, we need to know what security functionality is missing from your product.

Can you also clarify your request filtering functions? Do they replace some of the missing mod_security functionality? Do they require their own rules? Are the rules included in the LiteSpeed installation? Are the rules updated automatically?

The security-related functions (e.g., mod_security, etc.) are not very-well explained. Please provide answers so we can decide whether to use your product moving forward.

Thanks,

Mark

EDIT: I'm not trying to be negative or hostile, in fact I hope the answers are not bad...I hope that LiteSpeed is very secure in terms of mod_security. But without the answers I don't know what the situation is. Thanks.

[NC-Designs]

Hi Mark, gotroot guy and LiteSpeed staff. This thread is typical of LiteSpeed forum.

Staff eventually not replying and not finding a sufficient resolution. Now I am aware you have added modsec 2.5 support to your latest release however it really isn't sufficient. Your changelog displays this but by that you could mean, we have added 1 feature of 2.5 or the entire functionality. However, from using 4.1 I have found that you really haven't added much of the functionality some people would require.

I have found LocationMatch rules for example, not to work.

Quote:

<LocationMatch /admincp>
SecRuleRemoveById 330069
</LocationMatch>

Even simple SecRule from testing have failed to work?!

Quote:

#Silent1.pl
SecRule REQUEST_URI "silent1\.pl"

Now I have paid for this service fair and square however the results I am getting are not sufficient. I have purchased an owned license with yourselves and that is more than enough to fund development. I have tried contacting your support directly and you tell me to use the forum, all in vein when you don't even help!

Your support is shabby and your pricing somewhat outrageous. Now while I agree with everyone that LiteSpeed is a great piece of kit when it comes to security it has so much further to go. Why don't you drop the support for your own Modsec alternative and let us use Mod_Security? Wouldn't that just make life a little easier for you? Your product has some rough edges and this is certainly one of them. Functions that have worked in previous versions I find no longer work (See my previous threads) and please take a look at the latest addition to my threads.

Regards,
Chris.

[mistwang]

Those rules should work fine with 4.1 release.
We need to either check it on your server, or copy your configuration to our lab environment to reproduce it.